From 9e2efdf6b39b999df6fb1ef3b07fcb0d342a84f3 Mon Sep 17 00:00:00 2001 From: Nydragon Date: Tue, 8 Oct 2024 02:41:00 +0200 Subject: [PATCH] feat(nginxproxymanager): add container, raptus to tailnet and remove ssh from raptus --- hosts/brontes/configuration.nix | 12 +-- hosts/default.nix | 36 ++++--- hosts/marr/configuration.nix | 1 - hosts/raptus/configuration.nix | 23 ++-- hosts/raptus/headscale.nix | 29 +++++ hosts/shan/configuration.nix | 14 ++- modules/default.nix | 1 + options/container/default.nix | 5 +- options/container/kitchenowl/default.nix | 2 +- options/container/nginxproxymanager.nix | 129 +++++++++++++++++++++++ options/services/tailscale.nix | 6 ++ parts/lib/functions.nix | 2 +- secrets/adguard-dns-list.age | Bin 668 -> 668 bytes secrets/couchdb.age | 19 ++-- secrets/navidrome.age | Bin 748 -> 748 bytes secrets/rustypaste.age | Bin 509 -> 729 bytes secrets/secrets.nix | 3 +- 17 files changed, 227 insertions(+), 55 deletions(-) create mode 100644 options/container/nginxproxymanager.nix diff --git a/hosts/brontes/configuration.nix b/hosts/brontes/configuration.nix index 460f105..4a083e0 100644 --- a/hosts/brontes/configuration.nix +++ b/hosts/brontes/configuration.nix @@ -1,15 +1,8 @@ # vim:fileencoding=utf-8:foldmethod=marker -{ - pkgs, - inputs, - username, - ... -}: +{ pkgs, username, ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix - ../../modules ./home.nix ]; @@ -20,7 +13,10 @@ age.secrets.rustypaste = { file = ../../secrets/rustypaste.age; + mode = "440"; + group = "wheel"; }; + #: Power Consumption {{{ services.logind = { powerKey = "hibernate"; diff --git a/hosts/default.nix b/hosts/default.nix index 31871a1..b7db1d6 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,41 +1,49 @@ { inputs, withSystem, ... }: let inherit (inputs.self.lib.my) mkSystem; + inherit (inputs.self.lib) listToAttrs; + + mkSystem' = sys: { + name = sys.hostname; + value = mkSystem ({ inherit withSystem; } // sys); + }; in { - flake.nixosConfigurations = { - marr = mkSystem { - inherit withSystem; + flake.nixosConfigurations = listToAttrs [ + (mkSystem' { hostname = "marr"; system = "x86_64-linux"; extraModules = [ inputs.agenix.nixosModules.default ]; - }; + }) - brontes = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "brontes"; system = "x86_64-linux"; extraModules = [ inputs.agenix.nixosModules.default ]; - }; + }) - shan = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "shan"; system = "x86_64-linux"; extraModules = [ inputs.disko.nixosModules.disko inputs.agenix.nixosModules.default ]; - }; + }) - raptus = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "raptus"; system = "x86_64-linux"; extraModules = [ inputs.disko.nixosModules.disko inputs.agenix.nixosModules.default ]; - }; - }; + }) + + (mkSystem' { + hostname = "nihilus"; + system = "aarch64-linux"; + extraModules = [ ]; + }) + ]; } diff --git a/hosts/marr/configuration.nix b/hosts/marr/configuration.nix index 4d161e3..06d9243 100644 --- a/hosts/marr/configuration.nix +++ b/hosts/marr/configuration.nix @@ -9,7 +9,6 @@ { imports = [ ./hardware-configuration.nix - ../../modules ./home.nix ]; diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 42042ae..cc1619e 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -17,7 +17,6 @@ in ./rustypaste ./forgejo ./headscale.nix - ../../modules ]; age.secrets = { @@ -29,15 +28,21 @@ in efiSupport = true; efiInstallAsRemovable = true; }; + + modules.services.tailscale = { + enable = true; + tags = [ "server" ]; + extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now + }; + services.headscale.enable = true; + networking.firewall = lib.mkForce { enable = true; allowedTCPPorts = [ 80 # for acme challenges 443 - 3000 # forgejo - 8000 # rustypaste - ] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ]; + ] ++ [ config.services.endlessh.port ]; }; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -56,11 +61,6 @@ in ]; }; - services.openssh = { - enable = true; - ports = [ 56528 ]; - }; - services.endlessh = { enable = true; port = 22; @@ -71,10 +71,5 @@ in pkgs.gitMinimal ]; - users.users = { - root.openssh.authorizedKeys.keys = [ pubkeys.ny ]; - ny.openssh.authorizedKeys.keys = [ pubkeys.ny ]; - }; - system.stateVersion = "24.11"; } diff --git a/hosts/raptus/headscale.nix b/hosts/raptus/headscale.nix index f95b2ea..0fc20a3 100644 --- a/hosts/raptus/headscale.nix +++ b/hosts/raptus/headscale.nix @@ -49,6 +49,35 @@ mkIf config.services.headscale.enable { nameservers = [ "100.64.0.4" ]; + extra_records = + let + mkRecords = map (sub: { + name = "${sub}.ccnlc.eu"; + type = "A"; + value = "100.64.0.4"; + }); + in + [ + { + name = "ccnlc.eu"; + type = "A"; + value = "100.64.0.4"; + } + ] + # Tailscale doesn't seem to support wildcard A/AAAA records + # - https://github.com/juanfont/headscale/issues/2159#issuecomment-2393406444 + ++ mkRecords [ + "immich" + "adguard" + "nextcloud" + "kitchenowl" + "navidrome" + "subsonic" + "nextcloud" + "paperless" + "truenas" + "fritz" + ]; }; }; }; diff --git a/hosts/shan/configuration.nix b/hosts/shan/configuration.nix index e504ba0..10740a0 100644 --- a/hosts/shan/configuration.nix +++ b/hosts/shan/configuration.nix @@ -9,7 +9,6 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix - ../../modules ./adguard.nix ]; @@ -27,10 +26,15 @@ }; modules = { - container.kitchenowl = { - enable = true; - openFirewall = true; - version = "v0.5.2"; + container = { + kitchenowl = { + enable = true; + openFirewall = true; + version = "v0.5.2"; + }; + nginxproxymanager = { + enable = true; + }; }; server = { diff --git a/modules/default.nix b/modules/default.nix index c8d308d..bf6155d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -24,5 +24,6 @@ ./nix ./themes + ./commons ]; } diff --git a/options/container/default.nix b/options/container/default.nix index 79c3ae1..e96acb7 100644 --- a/options/container/default.nix +++ b/options/container/default.nix @@ -4,7 +4,10 @@ let inherit (lib) mkIf mkEnableOption; in { - imports = [ ./kitchenowl ]; + imports = [ + ./kitchenowl + ./nginxproxymanager.nix + ]; options.modules.container = { enable = mkEnableOption "container support"; diff --git a/options/container/kitchenowl/default.nix b/options/container/kitchenowl/default.nix index 9512505..e515f7a 100644 --- a/options/container/kitchenowl/default.nix +++ b/options/container/kitchenowl/default.nix @@ -11,7 +11,7 @@ let in { options.modules.container.kitchenowl = { - enable = mkEnableOption "Whether to enable the kitchenowl container"; + enable = mkEnableOption "kitchenowl container"; port = mkOption { type = port; default = 82; diff --git a/options/container/nginxproxymanager.nix b/options/container/nginxproxymanager.nix new file mode 100644 index 0000000..3ee37cf --- /dev/null +++ b/options/container/nginxproxymanager.nix @@ -0,0 +1,129 @@ +{ + lib, + config, + pkgs, + ... +}: +let + inherit (lib) mkIf mkEnableOption mkOption; + inherit (lib.types) port; + + cfg = config.modules.container.nginxproxymanager; + mkPortOption = + portNr: desc: + mkOption { + type = port; + default = portNr; + description = desc; + }; +in +{ + options.modules.container.nginxproxymanager = { + enable = mkEnableOption "Nginx Proxy Manager container"; + + ports = { + http = mkPortOption 80 "Port for http access"; + https = mkPortOption 443 "Port for https access"; + web = mkPortOption 81 "Port for the webpage"; + }; + }; + + config = mkIf cfg.enable { + modules.container.enable = true; + + # Containers + virtualisation.oci-containers.containers."nginxproxymanager" = { + image = "jc21/nginx-proxy-manager:latest"; + volumes = [ + "nginx_letsencrypt:/etc/letsencrypt:rw" + "nginx_nginx:/data:rw" + ]; + ports = [ + "${toString cfg.ports.http}:80/tcp" + "${toString cfg.ports.web}:81/tcp" + "${toString cfg.ports.https}:443/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=nginxproxymanager" + "--network=nginx_default" + ]; + }; + + #: Systemd services {{{ + systemd = { + services = { + "podman-nginxproxymanager" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-nginx_default.service" + "podman-volume-nginx_letsencrypt.service" + "podman-volume-nginx_nginx.service" + ]; + requires = [ + "podman-network-nginx_default.service" + "podman-volume-nginx_letsencrypt.service" + "podman-volume-nginx_nginx.service" + ]; + partOf = [ + "podman-compose-nginx-root.target" + ]; + wantedBy = [ + "podman-compose-nginx-root.target" + ]; + }; + + # Networks + "podman-network-nginx_default" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f nginx_default"; + }; + script = '' + podman network inspect nginx_default || podman network create nginx_default + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + + # Volumes + "podman-volume-nginx_letsencrypt" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect nginx_letsencrypt || podman volume create nginx_letsencrypt + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + "podman-volume-nginx_nginx" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect nginx_nginx || podman volume create nginx_nginx + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + }; + targets."podman-compose-nginx-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + #: }}} + }; + +} diff --git a/options/services/tailscale.nix b/options/services/tailscale.nix index 8dd3089..239f72b 100644 --- a/options/services/tailscale.nix +++ b/options/services/tailscale.nix @@ -43,6 +43,11 @@ in type = listOf str; default = [ "--ssh" ]; }; + + extraFlags = mkOption { + type = listOf str; + default = [ ]; + }; }; config = mkIf cfg.enable { @@ -50,6 +55,7 @@ in enable = true; extraUpFlags = concatLists [ cfg.defaultFlags + cfg.extraFlags ( mkIf cfg.tags != [ ] [ "--advertise-tags" diff --git a/parts/lib/functions.nix b/parts/lib/functions.nix index 4475ef0..b0b767a 100644 --- a/parts/lib/functions.nix +++ b/parts/lib/functions.nix @@ -32,7 +32,7 @@ in modules = [ "${self}/hosts/${hostname}/configuration.nix" "${self}/options" - "${self}/modules/commons" + "${self}/modules" { networking.hostName = hostname; } ] ++ extraModules; specialArgs = { diff --git a/secrets/adguard-dns-list.age b/secrets/adguard-dns-list.age index 90d3d30ee1467791091a2c639eca1a7ccf99f8b4..6649fa46c58a54995484308a725530093b7432b9 100644 GIT binary patch delta 597 zcmWO2OKZ~r007_(H(~YQYuZgj$`p~!&@^fKKqz!gnxt9UC2f-?h+>+iX_};2(hRg}mgAYVJDIy3mJg6XuLl8W8al0r8vV*vv@O{gJ%Y$>Ldj(uBI}Q!= zM3?oU3E5T&RYem`&LQIs4`b_TuW4r8I$~A>(FwUmR{ThggLIT=*_I!L3MIPgsw&}L zpizzWK*pzd903DBDrDO#P?I49i6lc3Oz6|;kWWf-Cs(lGA`aJNP)cUiX0}m@QA%bi ztW$CZ!SD&GZGd(<8i1@x&B!8HG7sf*vn5(<=1i|sDwv4KXK;g+U5BYoV}?aCH+}_q z2DjW9UoV&Ke9iJmf#Gnr1>j0-gnVLVn) z{E``#K)1*i>up9?V3TB`iCgFUgT0v2VW_ACsxBR$g&4jlz#_td9#r9r3hjfM9rsa4 zLK`?8m==_s5M7vcA-PKAnVLzezJmFjM08zSPq=K0cPf~Yqjr`6AkOU0 z4}4hr`S|kP0{U_6$na$9W^m=?qs=qhpWx?vpS``laZN1o2mRpE{;|IGx!S)&<6!n& z-|yY~Mh)iPgT|{TV?*ZJ_+qcyyELNN;wlALFAgs*@LPM3jf%m+$9K^ozlP g&qnI(yB`UOZ##cR=-1tW;qC8l{;o)?Ul&sU0Y6~bD*ylh delta 597 zcmWO2-%Hd0003YzeCP=5C8c^fsX#i9xw+l$dN6P9=Ka|1Ht%-(@e-!VFweGd<#labXYS>Z|XQy1J zBPy)QGZICM5&*RkF7SYwPm2gYggRWk8G?n3WXiS>kux5WqXk0|nFy3pVuhRbHd zw_GMm19{L=D+wi2(%I$fC;DdEdZ(O-uoRA9Rn^n&fX3UjC2O>l0DQlR`9U5Fh=Pc4 zUP!DVX{ia;O~aF87GAWOaYm&6FGZu_M1z#;t)fkFIgQE5 z^<+8~&l(09@#2a`RL5g{b_P>aiJOSTL&n+f_Ya?P2QP(J%X6!@79LQ~d(Qt_nSXZY zn?CpGOE34NAG#^@v{#$C8+H{vH?VvAb8Y(MF(2OkJNR>PDgLH&dh-jAJyE7HS* z(WA!nXfsYi!2aXv#g+MM>s?##)z|8ylQT>~FSULV{$b!MgiD!O-J e=V ssh-ed25519 biwZXw Adz1IbWLQ7LnJlNGRlIhTQq0jJ0frIR+L0aGcE0d5nk -xUGt5Us/cAU9JVeLv0Ia8peWZLct8YW9i+77IgiU2cI --> ssh-ed25519 b3HlPA iVld+xe6mvJMzAvmjPOTahcUSqOE0uGS/2GdQc0dSTQ -EG+h6L5v/KW3miD4Hy4goco2e507GOZKsHCE2kT5ERQ --> ssh-ed25519 cdUqUg FNFD1htaxYDyhn/xBg1l/WnAytplKlzPWWI5zu7ntVc -1IsEr/7H5fdtJII39pkktikJ/qwUn2eZ+/BowOVwkDo ---- tcg5/OhNjGKdd4nIYE1o5z6tY4W/eoA4OjgNvdFi4gM -z<K4 '`> 2TOuj*B2.pTt\ -X@׼}MU3^{B4j=]Af8ιSQ}$0; \ No newline at end of file +-> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4 +YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM +-> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is +bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE +-> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk +UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c +-> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws +rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ +--- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs +bwXm ws hF1ɭ+Zܠ}LY Zݍfgq]̃txۯ`w)Y%u^_v8QZfqu:g1 V!’A[e{Tn -f \ No newline at end of file diff --git a/secrets/navidrome.age b/secrets/navidrome.age index eedc7ef60337acce246944fcf4bf921d00766ea4..5e4c32b0f8e3559f747e69184bb0646882736471 100644 GIT binary patch delta 677 zcmV;W0$Tm-1?&ZoEPpdrQ7<-DZA>sLO;lnsPEKxPT5CdAa!N>XGgL}iS3zt~I4e&> zN^C-RNeWSNQdvfDIWbjLZ!u^=WomClVn%sSNlk5LN{`-OHgG@c|kWsH&Hk>RZmMpbwyTCL{(HwD{nGNFiA9%UjY|?bTUa~ zcu;axFjGY{OmtC8S2$^LMRRK}PH|FtT3U8#dUQB(SwU55Nk>r%ZCO?;R!B5KT1R(N zS59ejLQhR(G;CK-NOMVcaCu{AD`_`xR##~>MS5=vEiEk|c~U`WM|fpcYcE7eQA00! zM@LskX-_yoD|tj!T6K6-HA`}TGfs0cMp`p-3SX78dQL>5Tq3mT7QE{BPfQpz+&sU< zyiLp)KOX`_q5U@+<*mwQ8|#|f$t@FA|tKVl@nN< zT_Xg;AXU)b860bbA7d(0gsjKYa)aX35E!pEl$G?UVm<}}tGQu^c_GF!RK5E%OGXA^ zjLGYFF?a8^tI%pI^5xp6kZJLiCJO#&!3m+?PUNM0HF?Mp;xjRz@~sdSPf|XF^g*PeXEaO?Xub zXhBYNX>u}na#c5OH%Du8M=NweXKOEVcuY`OWM_DJN;P_AbYW~zNO@zEUjY|?HcE6_ zbY^NRK~FYKYho}kR#{|gIW#wKOLbCObu&&)bxCMMOjJfob5lVIHF9%8SV&Z8cy?uF zOf*DMadJpQSx-||c{O!-LorH2a9K<%RB&WzZ$~%^EiEk|FfUAWT1PWzSvGHaZgfRQ zXnJQ?VQxljZ7(rmFlKLUbV4!3SHb)xr606D4WWcOrxV(eU3+5IjtdK z@}E~j{4!||z0^~5qvaPtSJquDp|48StRLh<0npa^y(e&s zNgoL3rfh4h(qn{HlYI%TssjRQji)CM=!wwR=!;FDsMs92+X5sd4M!|^i7lQ3gqpFd ztx-SOc0p1)piK8Cq#R~FYB3?_Wf zoJ6Dbb4;+&4tLp;zl~dEyS0v!4&^B^Q+Z%7fJ6gD9Ze2N$Oyi0iTfi{*#aSrm%_To LN$|n?Z<^0T$4Uh# diff --git a/secrets/rustypaste.age b/secrets/rustypaste.age index 6ac842633a9bb56f3a5b75c23d8f0b0c7381a98d..8dba28ca08ffbefc157a1f73d3adf7fba5ec3fb3 100644 GIT binary patch literal 729 zcmZY2JBZT&002-=afvwTB8X)0!%=GfO>=_KrfKtO($BR`8pI<>)1+zAG{5EpIykr- zf^dQkqPU2QgKkc8-k_VqIf;X(9F98PsPnnK?P-=-HWx;iFXNfNxbBA*v_gRLO)!e= zvN=Hs0-->Cma0k$rilQFK53YhoXym!&PFnA1aYI1nWB-PPF@v@gp#^FRB``gmlRYw=&xVya>r8brREDYvO)5(b@h8l9(>2-L0+L8i`%XHZPAPj- zr`gezt;kJ5Guj>k8Bt?oiAt(?gpJjXZyI7-sRb4)M{$A?XLg5{3L`}4@XV`noyKM% z)w^!XY1bJBLObI|55Poa+}tejvMG|0Yx}m;qUox)s`q>cr^rFROo@35;#!_{e3K1F zCTgHm(CI&LC80+&LsEo=<|58uZsjhB1{wIJI6+rXVo$6T$ecuLmry;+8P*Fl$w(|r z!PLQI6w6SFtf`J_G5jnK234S3E`ttRwP`qMBS~MOV9}+r-VCjE_*|#zM6WH?R|#u4 zt5T_F0G|kQ!})&x>5Y49J`rwd=T6S9u(7_e{`SfK+V;oC-n$Fmp6$NizMO{lu3qNX zUmZQXwsY}Aq04u|+rK~mx_@-|`tBoq8~L$A2kgteH-An%KLehk7s&3d!`07&gTt@# O{=tK-<)!i2_kRJTK>C6J delta 454 zcmV;%0XhEJ1^ok%EPq5yXnIRyV=rN8Mt52_M`Cn(cUEUrbSqjoLuf-}bZ}2(WJYaq zYHD>?X9{ysS#m{KHbhB6D?~#=LorKQMOIX4LR2tvV>Co!RB$+SF+xT`ZCGVaZwf6w zAaiqQEoEdfH8n9gAYwB}Y*0ZUZEP_#a!^HdZ(2b(P(*2UNJVmQQBP)LW=Kg@Wl3jf zZfr|VNH$7gZ(%Y)3RGn>N;ghMHc(DhcS2TSVntMEaW!#lHbQVwVr5b@NoZ?HR&{bK zO)@!=@ECt+byY%6YC&#ca$z?sIBi5lLSsd2S~5gUb3{fkPHkmDIcY&~bxbu_NOuY= zYI8C{HB)tVSZQZcFIsJRGjBLnX?Qb2adJv#VKZ<{YgT1)W;sxHa!m>?EiE8WYchH< zH%K*gGjvO2SW8Y&Oix-kOm9p#XHs)7LU&|%HF